Google has issued an emergency security updates to patch a high-seriousness vulnerability in the Chrome web browser that can acquire full account after successful exploitation.
Although it is not clear that this safety defects have been used in attacks, the company warned that it is a public exploitation, which usually indicates active exploitation.
“Google is aware of those reports that an exploitation for CVE-2025-4664 is present in the wild,” Google said Wednesday’s security advisor.
The vulnerability was discovered by solidlab security researcher Vsevolod Kokorin and is It has been told As an insufficient policy enforcement in Google Chrome’s loader component, which allows distance attackers to leak cross-oriented data through the HTML pages prepared maliciously prepared.
“You probably know that unlike other browsers, Chrome solves the link header on subresores requests. But what is the problem? The issue is that the link header can set a refer-policy. Cocorin explained,
“Querry parameters can contain sensitive data – for example, in Oauth flow, this can lead to an account acquisition. Developers rarely consider the possibility of stealing query parameters through an image from 3 -party resources.”
Google fixed the blame for users in the stable desktop channel, rolled out users worldwide with patched versions (136.0.7103.113 for Windows/Linux and 136.0.7103.114 for McOS and McOS 136.0.7103.114).
Although the company says that security updates would roll out in the coming days and weeks, they were immediately available when Bleepingcomputer checked for updates.
Users who do not want to update chrome manually can allow the browser to check automatically for new updates and install them after the next launch.
In March, Google also set up a high-seriousness Chrome Zero-Day Bag (CVE-2025-2783), which was misused to deploy malware in detective attacks targeting Russian government organizations, media outlets and educational institutions.
Researchers at Kasperki actively discovered the exploited zero-day, stating that the attackers use CVE-2015-2783 to bypass Chrome sandbox security and infect the target with malware.
Last year, Google revealed or exploited 10 zero-days during the PWN2OWN hacking competition or exploited attacks.
Based on the analysis of 14M malicious tasks, search for the top 10 MITERAT & CK techniques behind the 93% attacks and how to defend them against them.
